How many times have you been at your computer and seen a message flash across the screen warning that the site you are about to visit could be a threat to your security?
A trio of researchers at Brigham Young University in Utah wanted to dig deeper into the psychology of people who ignore those messages — which is many of us a lot of the time.
Many people, they say, claim to care about computer security but behave in ways that put themselves at risk for getting viruses and other unwanted computer intrusions. Their new study aims to find out what goes on in the minds of these users.
According to BYU neuroscientist Brock Kirwan, online security often depends on people heeding the warning messages.
“The weakest part of your security chain is the users themselves," he said. "So your computer is fairly secure. But if you can get people to engage in insecure computing behaviors, to get people to open up the attachment to the email or to enable macros or something like that, it’s pretty easy to gain access to their computer in that case. So, knowing who’s going to engage in these risky behaviors could help you to design systems that sort of circumvent these things."
The researchers designed an experiment involving a group of students who used their own laptops. The students played a game in which they were asked to identify whether they thought images of the superhero Batman were animated or photographed.
Throughout the experiment, warning signs popped up from time to time on their screens suggesting there were malware issues with the Batman site.
If the students ignored enough of the warnings, they were “hacked” — a message from an “Algerian hacker” with a laughing skull and crossbones and a ten-second timer came on the screen with the words “Say goodbye to your computer.”
Anthony Vance is a professor of information systems at BYU.
“Because with the countdown timer, they only had a few seconds to make a decision," Vance said. "Some people yanked out the network cable. Some people slammed the laptop lid shut. So they were definitely concerned about the data."
Fortunately, none of the hacking messages was genuine. But the students’ behavior — ignoring the messages — was counter to previous responses by the students that they cared about computer security.
Repeatedly seeing the security warnings caused the subjects to begin to ignore them, something called “habituation,” according to Vance.
“If users just dismiss the warnings without thinking, then that’s a big problem," he said. "So, we’re looking at how to change things up, how to keep the warning messages fresh in appearance so that the brain accords attention at the time that it sees the message."
The findings were published in the Journal for the Association for Information Systems. The Brigham Young University investigators say computer makers in Silicon Valley are interested in their work.
They are planning future experiments using high tech brain imaging, called fMRI, and tracking computer mouse movements to also try to predict how we respond to computer security.
